Skip to main content

Install SecureAuth RADIUS Server

Follow the steps in this guide to install SecureAuth® Identity Platform RADIUS server version 20.12.xx for the first time. For upgrade instructions, see Upgrade SecureAuth RADIUS Server.

For optimum performance in a large organization, consider installing or upgrading SecureAuth RADIUS separately from the Identity Platform server.

If you have any questions, contact SecureAuth Support.

Installation steps

Before installing SecureAuth RADIUS Server, ensure that you have SecureAuth IdP 9.3 or Identity Platform release 19.07 or later installed.

Note

Do not install SecureAuth Identity Platform RADIUS server version 20.12 on a Windows Domain Controller.

  1. Download the SecureAuth RADIUS Server installation file from the SecureAuth Product Downloads page.

  2. Double-click the SecureAuth-IdP-RADIUS-Server-20.12.13.exe file to start the install wizard.

    If you have not already logged in as an administrator, you will be prompted to do so.

  3. Click Next to proceed.

    RADIUS_install_1.png
  4. Select the folder where you want to install the RADIUS Agent.

    RADIUS_install_2.png
  5. Select the appropriate checkboxes to enable quick access to the RADIUS Admin Console via a desktop icon or the Start menu selection:

    • Create a Desktop icon.

    • Create an entry in the Start Menu.

    RADIUS_install_3.png
  6. Click Next to review settings.

  7. Review settings and do one of the following:

    • Click Back to make edits.

    • Click Install to begin installing the RADIUS service.

    RADIUS_install_4.png
  8. After the installation is complete, optionally select the files to start when the wizard closes:

    • View README.

    • Launch RADIUS Administration Console.

    RADIUS_install_5.png
  9. Click Finish to close the install wizard.

    If either or both files were selected in the previous step, the requested files are displayed.

Optional configurations

The following are optional configurations you can make to customize the SecureAuth RADIUS Server.

RADIUS admin console configuration to use HTTPS

You can configure the RADIUS admin console to use HTTPS instead of HTTP.

Before you begin, make sure you have the following:

  • SSL certificate via PKCS12 file (PFX_FILE). This can be a self-signed certificate.

  • RADIUS Server installed.

To configure the RADIUS admin console for HTTPS, follow these two short procedures.

  1. At the command prompt, go to the keytool root folder:

    # cd <RADIUS_INSTALLATION_FOLDER>\bin\serverJre\jre\bin
  2. Use the keytool command to import the PFX file inside the Oracle Java KeyStore provided along with RADIUS, which is in:

    <RADIUS_INSTALLATION_FOLDER>\bin\serverJre\jre\lib\security\cacerts

    For example,

    # keytool.exe -importkeystore -srckeystore "<PATH_TO_THE_PFX_FILE>" -destkeystore "..\lib\security\cacerts" -srcstoretype pkcs12

    Note

    Oracle sets the destination keystore password by default to"changeit". Make sure to use the right password if this was changed.

    RADIUS_HTTPS_optional_configuration_1.png

    You should see this response if the command was successful:

    Entry for alias <THE_KEY_ALIAS> successfully imported. 

After you import the SSL certificate, do the following to configure RADIUS to use HTTPS.

  1. Create an application.properties file with the following structure:

    server.address=127.0.0.1
    management.port=-1
    spring.messasges.basename=message
    server.ssl.key-store: file:C:\\Program Files\\SecureAuth Corporation\\SecureAuth IdP RADIUS Agent\\bin\\serverJre\\jre\\lib\\security\\cacerts
    server.ssl.key-store-password: <KEYSTORE_PASSWORD>
    server.ssl.key-type: pkcs12
    server.ssl.key-alias: <KEY_ALIAS>
    server.ssl.key-password: <PFX_PASSWORD>
    server.port:<HTTPS_PORT>

    For example:

    server.address=127.0.0.1
    management.port=-1
    spring.messasges.basename=message
    server.ssl.key-store: file:C:\\Program Files\\SecureAuth Corporation\\SecureAuth IdP RADIUS Agent\\bin\\serverJre\\jre\\lib\\security\\cacerts
    server.ssl.key-store-password: abc123
    server.ssl.key-type: pkcs12
    server.ssl.key-alias: 1
    server.ssl.key-password: 456xyz
    server.port:8443
  2. Insert the application.properties file inside the folder <RADIUS_INSTALLATION_FOLDER>/bin.

    For example:

    C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\application.properties
  3. Use the Windows Services Manager (services.msc) to restart the RADIUS server.

    RADIUS_HTTPS_optional_configuration_4.png
  4. Open the web browser and go to https://localhost:8443/configuration.

    Note

    If you need to undo this change, you can erase the new application.properties file and restart the RADIUS server.

Disable special character support in user IDs (SecureAuth IdP 9.2 only)

Customers running SecureAuth IdP 9.2  must disable support for special characters; otherwise, end users who use special characters in their user IDs will not be able to authenticate.

  1. Open the appliance.radius.properties file in a text editor.

    This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf

  2. Set enable.special.characters.for.userid=false, as shown in the following image:

    appliance_radius_properties4.png
  3. Save your changes.

Display multiple authentication devices

Allow end users to select their authentication device if they have more than one device.

  1. Open the appliance.radius.properties file in a text editor.

    This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf

  2. Add the radius.oath.strategy=ask_by_otp_device property, as shown in the following image.

    60573995.png
  3. Save your change.

End user experience

When end users with multiple devices authenticate, the following screen appears:

60573994.png

Additionally, SecureAuth RADIUS server supports both HMAC-based One-Time Password (HOTP) and Time-based One-Time Password (TOTP) in seed and token modes, so the TOTP/HOTP authentication type appears instead of OTP:

60573992.png

Maximize login requests with timeout value

Maximize successful login requests to the Identity Platform by setting a timeout value.

  1. Open the appliance.radius.properties file in a text editor.

    This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf

  2. Add the idp.api.timeout=n property, where n is the timeout value in milliseconds.

    For example, idp.api.timeout=50000.

    If a value for idp.api.timeout is not specified, it is set to 50000 by default.

    69108133.png
  3. Save your change.

Set the number of UDP processor threads

Set the number of User Datagram Protocol (UDP) processor threads that SecureAuth RADIUS can use to receive access-request packets.

  1. Open the appliance.radius.properties file in a text editor.

    This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf

  2. Add the radius.processorThreads=n property, where n is the number of processor threads.

    For example, radius.processorThreads=50.

    If a value for radius.processorThreads is not specified, it is set to 50 by default for best performance.

    69108112.png
  3. Save your change.

  4. Open your system's Task Manager and select the Services tab.

  5. Right-click secureAuthRadius and click Restart.

    When you lose connection, cancel out of the reconnect dialog.

  6. Select the Services tab and copy the PID for the java.exe process.

  7. Open PowerShell as an Administrator.

  8. Append the PID for the java.exe process to jconsole.exe and run the command.

    jconsole.exe <PID> 

    For example:

    jconsole.exe 4648

Set the PIN length for PIN + OTP authentication

Set the PIN length for your end users for the PIN + OTP authentication workflow.

  1. Open the appliance.radius.properties file in a text editor.

    This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf

  2. Add the pin.length = n property, where n is the PIN length. Set a PIN length of up to 18 digits.

    For example, pin.length = 8.

  3. Save your change.

Next steps

Configure SecureAuth RADIUS server version 20.12